Threat Intelligence Blog

Posted November 21, 2014

We recently shared intelligence about the phishing threat based on real attacks Cyveillance saw over a one year period.

In each of those posts, we explain a few bits of actionable information found by examining only phishing attack URLs. In today’s post we’ll conclude with one more detail that might be used by security professionals to judge the likelihood that a web page is not what it claims to be, and is actually a phishing attack.

Everyone who uses the Internet is familiar with the “neighborhoods” of the web, like .com, .net, .biz, .org and the hundreds of other Top Level Domains (TLDs) out there. There’s a natural set of ratios of these TLDs that don’t really change much or very often.

According to, those ratios look like this:


We wondered if the ratios of the phishing attack URLs broke down the same way as in the data from W3techs. That is, are certain TLDs disproportionately likely to host a phishing attack?

Winners and Losers

Based on the data in our year-long data set of phishing attack URLs, we found the following statistically significant results:

  • TLDs which were over-represented: .org, .uk, .br, .fr
  • TLDs which were under-represented: .ru, .de, .jp, .pl
  • TLDs which were normally represented: .com, .net, .info, .it


The question of why each of those TLDs are more or less likely to host a phishing attack is an interesting exercise by itself.

Are .org websites more likely to be hosting phishing attacks because they’re more likely to be non-profits, and as such may be less able to devote resources to securing their websites so phishing attacks don’t happen?

What’s going on with Brazil? Could their significantly higher likelihood of hosting phishing attacks be related to an emerging global economic power (and an exploding middle class) combined with a corresponding shortage of web application and information security professionals to secure their sites? Whatever the reason, the pattern is similar to what was observed in our earlier post where we found that sites from were among the most compromised .gov sites on the planet.

Similarly, the lower likelihood of finding phishing attacks in the .ru TLD corresponds with the absence of phishing attacks in The trend is superficially counter-intuitive because Russia is often associated with cybercrime activity, but the data suggest that Russian actors actively avoid basing attacks in Russian cyberspace.

Whatever the reasons for the above patterns, the findings above are largely the same as those found in a recent Anti-Phishing Working Group report, supporting our results.


As we move into , phishing remains a persistent issue for consumers worldwide. Are the world’s largest banks better protected than in earlier years? What are the implications for consumers and their finances?

We look forward to continuing the fight against cyber criminals in 2015, and finding patterns in their operations we can use to improve Cyveillance’s Anti-Phishing solutions. Contact us to learn how we can assist your organization.

Additional Posts

Cyveillance Weekly Trends Report–November 26, 2014

Welcome to the Cyveillance Weekly Trends Report Since threat intelligence is constantly evolving, ...

Why Public Agencies are Hackers’ Newest Target

    The US State Department temporarily shut down its unclassified email systems last ...